Quantcast
Channel: SCN : All Content - All Communities
Viewing all articles
Browse latest Browse all 8076

SAP BW Authorization - InfoObjects level authorization

$
0
0

I have seen recently several issues and doubts from customers and colleagues by setting the authorization profiles to his users. Therefore I decided to create this blog, for describe a little how BW authorization concept works. With SAP BW Authorization concept, you are allowed to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. That provides you more flexible data access management.

 

Now at this point I will show you how you can restrict access to SAP BW reports on InfoObjects level.

 

Initial settings

 

At the beginning activate business content objects (TCode RSORBCT) related to authorizations:

InfoObjects 0TCA*

InfoCubes 0TCA*

and set the following InfoObjects as Authorization-Relevant:

0TCAACTVT (activity such as Display)

0TCAIPROV (InfoProvider authorization)

0TCAVALID (validity period of authorization)

0TCAKYFNM (if you want to restrict access to key figure)

 

Characteristics authorization

 

Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as Authorization-Relevant.

1.png

Characteristics values authorization

 

To authorize characteristics values you need to create new authorization object through TCode RSECADMIN. The following pictures show how allow users to access to specific sale organization (e.g., New York, San Francisco, Dallas).

1. Create new authorization object (e.g., Z_SORG_B).

2.png

 

2. Choose characteristic and press Details button.

3.png

 

3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas). Available operators: EQ - single value, BT - range of values, CP - pattern ending with (*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values

4.PNG

 

Attributes authorization

 

To authorize navigational attributes, set them as Authorization-Relevant.

 

5.png

 

Hierarchies authorization

 

To grant authorization on hierarchy level edit or create authorization object (e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.

 

6.png

Key figure authorization

 

To grant authorization to particular key figure, add special object 0TCAKYFNM to authorization object (e.g., Z_SORG_B), and choose the key figure to be authorized.

 

7.png

 

Summary

 

InfoObject level authorization gives you a great flexibility, but keep in mind system limitations. Avoid setting too many characteristics as authorization relevant (more than 10 in a query). All marked characteristics are checked for existing authorization if they are in a query or in an InfoProvider that is being used. Too much authorization objects may slow query execution. Exception are characteristics with all (*) authorization. If you want to check which InfoObjects are authorization relevant in your BW system, use TCode RSECADMIN -> Authorization Maintenance and display 0BI_ALL authorization.

 

Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.


Viewing all articles
Browse latest Browse all 8076

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>